Should I Worry that My Website Will be Hacked?

In the last month, we’ve had two long-time clients come to us because their websites were hacked. Everyone agrees that websites are the storefront of today. You can’t afford to have your website down for even a few minutes, not to mention an entire day or a month.

Should you worry about your website getting hacked?  Some people do, but don’t do anything to reduce the risk, and others think that it can’t happen to them.  Whether the site is a target can depend on if it gets a lot of traffic, or has keywords that are beneficial to the hackers. Getting hacked can result in a number of different situations.  A hacking situation can run the gamut from your website suddenly showing ads for terrorist ammunition, to having your site performance be really slow because it is serving up backlinks for a hacker’s website. One client had a hacker change their title tag and lock them out of their site so they couldn’t change it back. The image below shows how the title of the page looked in the browser.

And in the most extreme, worst case, the site is down for days and can’t be recovered, even from backup.

The most common question I hear after a site has been hacked is – what would they want with my website, we don’t collect credit card information.  Well a lot.  For one thing, backlinks are very important for search engine optimization. Your site can provide very good links to other sites.  Additionally, they can hijack the site for advertising or just to show they can. Here are 6 steps that you can take  to avoid having your website be hacked, and it is all easy to do.

Prevention is the Best Medicine to Protect Website from Getting Hacked

1. Use secure hosting from a reputable provider

If one site gets hacked on a shared server, they are all vulnerable. We have spent a lot of time researching and trying out hosting providers and we provide our clients with managed website hosting through reselling Liquidweb. Although our clients’ sites are on a shared server, they are separated, and the managed hosting immediately alerts us to any problem. About 40% of vulnerable sites were hacked through a security vulnerability on their hosting platform.

2. Use strong passwords

This means no dictionary words and no common names. Don’t use the same password for your website as you do for other online activities. Use a password program so that you can make your passwords strong, but don’t need to type in 20 random characters each time you need to login. Only 8% of WordPress websites were hacked last year because of a weak password, but this is an easy fix. If you run a multi-author or multi-user WordPress site, then you can enforce strong passwords for all users on your site. You can also add two-factor authentication to make it even more difficult for hackers to enter your WordPress admin area. Make sure your strong passwords are used for:

    • Your WordPress admin account
    • Web hosting control panel account
    • FTP accounts
    • MySQL database used for your WordPress site
    • Email accounts used for WordPress admin or hosting account

3. Don’t use “admin” as WordPress username

In addition, make sure your programmer has password protected the admin area of your Content Management System (CMS).

4. Update your website CMS software

Whether your site runs on WordPress, Drupal, or another CMS, keep the software up to date. It is the best investment to keep your site up and running. According to codeinwp.com, 61% of infected WordPress sites are out of date (Oct 2018). And according to one study, 30.95% of Alexa’s top 1-million websites run a vulnerable version 3.6 of WordPress.

In addition to the basic software, many open source CMS have plugins and themes written by the community. Keep those up to date.

5. Use Monitoring Software

We utilize WordFence plugin for all our WordPress sites, Liquidweb runs it on our managed hosting servers, and it is reported that Wordfence blocks up to 90,000 attacks on WordPress sites every minute. Additionally, make sure your webmaster account is set up to alert you if any malware shows up on your site. We also use Securi to detect issues. We had one client that required a monthly report on the security of their site after a previous webmaster let their site get hacked and was unable to recover it.

6. Be careful which plugins you install

If you are using WordPress, Drupal, or Joomla, the plugins can be an unlocked and open door to your site. According to WPScan, 52% of the vulnerabilities are caused by WordPress plugins. And 11% of WordPress vulnerabilities are caused by themes with huge holes.

Cleaning up a Hacked WordPress Site

This can be very painful and there are services that specialize in clean up. However, it can be costly, so doing regular backups and being able to restore the files immediately are most important.

Last note:

HTTPS does not stop attackers from hacking a website, web server, or network.  You do need an SSL certificate to secure communications between your site and the server and your visitor’s computer. However, the SSL will not stop hackers from exploiting software and password vulnerabilities. For more about SSL certificates and securing your website, read our blog: “Do I need SSL, HTTPS on my website”.
Written by Barbara Irias